// https://syzkaller.appspot.com/bug?id=b3a3f3c5847b6abc44d26cdbef71e61d909e8f92 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // bpf$MAP_CREATE arguments: [ // cmd: const = 0x0 (8 bytes) // arg: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {23 00 00 00 08 00 00 00 02 00 00 00 ff ff 00 00 // 05} (length 0x11) // } // } // } // size: len = 0x48 (8 bytes) // ] // returns fd_bpf_map memcpy((void*)0x200000000840, "\x23\x00\x00\x00\x08\x00\x00\x00\x02\x00\x00\x00\xff\xff\x00\x00\x05", 17); res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000840ul, /*size=*/0x48ul); if (res != -1) r[0] = res; // bpf$MAP_UPDATE_ELEM_TAIL_CALL arguments: [ // cmd: const = 0x2 (8 bytes) // arg: ptr[inout, bpf_map_update_tail_call_arg] { // bpf_map_update_tail_call_arg { // map: tail_call_map_update { // in: tail_call_map_fd (resource) // out: tail_call_map (resource) // } // pad = 0x0 (4 bytes) // key: ptr[in, const[0, const]] { // const = 0x0 (4 bytes) // } // val: ptr[in, fd_bpf_prog] { // fd_bpf_prog (resource) // } // flags: const = 0x0 (8 bytes) // } // } // size: len = 0x20 (8 bytes) // ] *(uint32_t*)0x200000000140 = r[0]; *(uint64_t*)0x200000000148 = 0x2000000000c0; *(uint32_t*)0x2000000000c0 = 0; *(uint64_t*)0x200000000150 = 0x200000000100; *(uint32_t*)0x200000000100 = -1; *(uint64_t*)0x200000000158 = 0; res = syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x200000000140ul, /*size=*/0x20ul); if (res != -1) r[1] = *(uint32_t*)0x200000000140; // bpf$BPF_MAP_LOOKUP_AND_DELETE_BATCH arguments: [ // cmd: const = 0x19 (8 bytes) // arg: ptr[in, bpf_map_batch_arg] { // bpf_map_batch_arg { // in_batch: nil // out_batch: nil // key: nil // val: nil // count: int32 = 0x2 (4 bytes) // map_fd: fd_bpf_map (resource) // elem_flags: bpf_batch_flags = 0x0 (8 bytes) // flags: const = 0x0 (8 bytes) // } // } // size: len = 0x38 (8 bytes) // ] *(uint64_t*)0x2000000018c0 = 0; *(uint64_t*)0x2000000018c8 = 0; *(uint64_t*)0x2000000018d0 = 0; *(uint64_t*)0x2000000018d8 = 0; *(uint32_t*)0x2000000018e0 = 2; *(uint32_t*)0x2000000018e4 = r[1]; *(uint64_t*)0x2000000018e8 = 0; *(uint64_t*)0x2000000018f0 = 0; syscall(__NR_bpf, /*cmd=*/0x19ul, /*arg=*/0x2000000018c0ul, /*size=*/0x38ul); return 0; }